There is only so long that we can exist within a certain paradigm. Our industry has become aware that cyber-attacks on mechanical and electrical (M&E) control systems can immobilize communication systems and business operations. There are three responses from data center owners and operators:
- Organizations that know they have a problem and think they are protected through air-gapping.
- Organizations that have external connections but believe that they have a secure electronic perimeter, and
- Organizations that think they are exposed to external attack vectors through the Internet and wireless devices, directly or indirectly connected to the control network.
Air-gapping is not practical
Air-gapping systems as an answer to protecting critical infrastructure from potential cyber-attacks is simply not practical. A new approach is evolving through understanding the issues in more depth.
Whilst the threat of external attack is relatively obvious, what concerns me is the basis upon which data center operators believe they are secure.
Have the operators had the external connectivity status verified, and if so by whom? If it is verified by a control and monitoring systems supplier, that would be one of the organizations who have mysteriously overlooked informing data center operators and owners about their vulnerabilities - even though they know about these vulnerabilities through their ICS experience? When was the last time you heard an M&E control systems supplier telling a data center owner that firewall software is out of date or a device controller needs patching to protect against a known cyber threat?
It seems to me there’s an obvious professional and moral duty on the part of the data center control and monitoring systems community to advise data center operators and owners of known vulnerabilities - at the very least those which are published on the vendor website or reported through ICS-CERT.
Secure is a relative term within heterogeneous technology environments. As more devices become connected, electronic security perimeters (EPS) become less defined. Virtually every data center uses protocols with little or no security.
It seems to me there’s an obvious professional and moral duty on the part of the data center control and monitoring systems community to advise data center operators and owners of known vulnerabilities.
The cybersecurity risks associated with physical and remote access, IT architecture, portable and wireless devices, to name a few, must be measured, assessed and remediated.
For example, frequently overlooked security risks include general purpose machines connected to the M&E network and devices, the long lifecycle of M&E components compared to other elements, bad patching policies, and the difficulty of testing configuration or firmware changes.
The rules of the game are changing
Firms will have to improve their ability to withstand cyber-attacks under the first EU-wide rules on cybersecurity, approved by MEPs earlier this year. The new Directive on Security of Network and Information Systems (NIS Directive) lays down security and reporting obligations for “operators of essential services.”
Following a letter issued by the New York State Department of Financial Services (NYDFS) on 9th November 2015 to Federal and State financial regulators, on the 13th September 2016 the NYDFS issued a proposed regulation that would impose rigorous cybersecurity requirements on banks and other financial institutions.
Under the proposed regulation, institutions must have a written cybersecurity policy that outlines every aspect of its cybersecurity program compliant with the proposed regulation’s requirements. This is significant as it would be a new first-in-the-nation regulation.
Currently there is a lack of non-IT, M&E specific, cyber engineering knowledge. IT security teams have to bring their critical facilities up to the same level of security. Will legislation eventually drive the integration of both software and the M&E physical infrastructure within critical infrastructures in order to identify risks and implement mitigation procedures?